I cannot protect my SPIN 5 from booting OS from USB and being hacked

crysman
crysman Member Posts: 22 Networker

With consternation I've just found my SPIN 5 has a faulty BIOS, because F12 to change boot order does not require superuser password (set in BIOS) - and it certainly should! In my long-term IT practice, I have not seen almost any BIOS (except for some rare s*itty old cheap mobos) where you could change boot order without entering the superuser password.

For obvious reasons, booting from other device than HDD can be easily misused to hack the computer. It's like leaving the door to your house open. Of course, you may still open the notebook and extract the HDD, but this takes considerably longer time, needs tools and is not a discrete action (like actually breaking or dismantling the door in the metaphore).

The only way possible to protect this notebook is to set the user password and require it on every boot, which is insufficient and silly, because both Windows and GNU/linux need to be restarted once a while and thus, cannot end up hanging on BIOS password prompt after performing "update and restart" in Windows e.g. Moreover, I need the computer to be used by more people, not just me.

If you disable F12, you're in trouble, still, because when you insert USB flash before powering on, it automatically boots from the USB flash (!) instead of from HDD and cannot be changed any way.

This is dangerously unsafe behavior. The correct way is to protect boot order changes by superpassword, like in every other BIOS out there.

Could you please make a BIOS update to fix this security issue?

Last BIOS update, which I have, was 2021/04/06 as you may see here https://www.acer.com/us-en/support/product-support/SP513-54N/NX.HQUEC.003/downloads?sn=NXHQUEC003021022336600

Answers

  • Puraw
    Puraw ACE, Member Posts: 13,229 Trailblazer

    On my 2 laptops (Aspire + Swift) I don't have F12 enabled in BIOS and when I boot with a bootable drive in the USB port the USB drive is NEVER at the top of the bootable devices list in BIOS, both laptops always boot to HDD0 (Windows boot manager) unless I change the boot devices list and reboot. 😉

  • crysman
    crysman Member Posts: 22 Networker

    yeah, this is what I would like to have, too, USB not to magically be the first device to boot…

  • billsey
    billsey ACE Posts: 34,138 Trailblazer

    You don't tell us, but the link you provide seems to indicate you have a SP513-54N model. On that model, and on almost every Acer product I know of, the F12 boot menu is disabled by default and the user has to manually turn it on before they can boot from anything other than the system drive. If you are worried about someone getting access by changing that, simply put a password on the BIOS and they won't be able to boot from a USB drive. I probably don't need to mention, but just keeping your laptop out of someone else's hands is your best defense for physically hacking into a system.

    Click on "Like" if you find my answer useful or click on "Yes" if it answers your question.
  • AnhEZ28
    AnhEZ28 ACE, Member Posts: 4,277 Pathfinder

    @crysman With the USB plugged in, go to the BIOS and change the HDD boot priority to the first one.

    Please remember to include @AnhEZ28 when you want to reply back to my comment so that I can check your response.
    Thank you and have a nice day!
  • crysman
    crysman Member Posts: 22 Networker

    Hello everyone,

    1. disabling F12 does not resolve the issue, as I said, when bootable USB flash is inserted, it automatically somehow makes itself the first bootable device.
    2. setting "user password" and protecting the boot process itself is not an option either, as I said, I do not want to have windows updates making the laptop hanging in BIOS password prompt after some of its restarts (sometimes even "update and power off" makes it a reboot first)

    More info:

    I am using UEFI, dualboot with GNU/Linux OS Pop OS with systemd-boot. Secureboot disabled.

  • billsey
    billsey ACE Posts: 34,138 Trailblazer

    First of all, you shouldn't need to disable secure boot in order to install Pop_OS!, re-enable secure boot so you don't have as big of chance to get the EFI load infected. Secondly Pop_OS! does it's own weird stuff with the boot process in order to make it more "user friendly", which does a good job of breaking dual boot for lots of combinations. Check the Grub configuration, it might be what's allowing the USB boot. The standard Windows Boot Manager, along with the F12 disable, will not boot from an external device without you explicitly allowing and choosing it.

    Click on "Like" if you find my answer useful or click on "Yes" if it answers your question.
  • crysman
    crysman Member Posts: 22 Networker
    edited August 29

    Hmm, OK, I will try to investigate further. I am using the simpler systemd-boot (https://support.system76.com/articles/bootloader/#efi-boot---pop_os-systemd-boot), not GRUB. I do not remember how it was before I made it dual-boot… Thanks for your comments.